By default every new RestApi instance replaces the single CloudWatch Role on API Gateway

We discovered that our API Gateway cloudwatch role was being overwritten by deployments of RestApi constructs. The CloudWatch Role is associated with the API Gateway’s Account resource. The API Gateway only supports 1 role for providing it the permissions required to write to CloudWatch so it seems strange to assume that every RestApi deployed is going to want to create that role and update the API Gateway Account automatically.

The cloudWatchRole property of RestApiProps should default to false.

Reproduction Steps

In an AWS account that has already setup API Gateway’s CloudWatch Role (by whatever means) run:

$ aws apigateway get-account
{
    "cloudwatchRoleArn": "arn:aws:iam::NNNNNNNNN:role/apigateway.amazonaws.com",
    "throttleSettings": {
        "burstLimit": 1050,
        "rateLimit": 2100.0
    },
    "features": [
        "UsagePlans",
        "ArbitraryUsageIdentifierKeys"
    ],
    "apiKeyVersion": "4"
}

Note the cloudwatchRoleArn and deploy a new stack that uses the RestApi construct without providing a value for the cloudWatchRole property. When you run aws apigateway get-account again you will see that the RestApi construct creates a new role and overwrites the role association that was previously established with API Gateway’s Account resource.

Error Log

In our case we found that when the role was replaced our existing api gateway deployments were no longer able to write to cloudwatch logs. Our workaround is to do our best to ensure that nobody creates a RestApi construct without setting the cloudWatchRole property to false.

Environment

• **CLI Version :cdk version 1.31.0, aws-cli/1.16.260
• **Framework Version:1.31.0
• **OS :Mac OS
• **Language :Typescript

Other

This is 🐛 Bug Report